[Bro] strange dropped packets issue
Justin Azoff
JAzoff at uamail.albany.edu
Tue Nov 3 15:32:06 PST 2009
On Tue, Nov 03, 2009 at 05:12:49PM -0600, William L. Jones wrote:
> Should have read all you message. At some point libpcap was change to have the same semantics as libpcap on bsd, the error counter return the number of errors seen on the interfaces was opened instead of the old linux behavior of return the number of errors sense the previous status.
>
>
> In PktSrc.cc change:
>
> #ifdef HAVE_LINUX
> // Linux clears its counters each time.
> s->received = stats.received;
> s->dropped = stats.dropped + pstat.ps_drop;
> s->link = 0; // not available
> #else
> // Default assumes FreeBSD's semantics.
> s->received = stats.received;
> s->dropped = pstat.ps_drop;
> s->link = pstat.ps_recv;
> #endif
>
> To
>
>
> // Default assumes FreeBSD's semantics.
> s->received = stats.received;
> s->dropped = pstat.ps_drop;
> s->link = pstat.ps_recv;
>
>
> Bill Jones
Ah, I think you nailed it. I took a look at some values of dropped, and not
only were they going up, they were going up by multiples of the same exact
value. This exaplains why I was seeing a huge number of dropped packets but no
cpu load.
With that fixed, I have found another bug, I notice when bro starts it prints to the load log:
"0.000000 switched to LoadLevel9"
(I set the default to 9, but it's the same with 10)
But it does not actually change the pcap filter.
I's only when the load level changes:
"1257290873.632846 switched to LoadLevel8"
does the packet filter change. I bet this is a race condition somewhere, the
fact that the time is 0 probably means something isn't fully setup yet.
--
-- Justin Azoff
-- Network Performance Analyst
More information about the Bro
mailing list